There's no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1st.

A patched Firefox release candidate is already available, so if you're really scared or impatient you can get it here.

As almost always happens, NoScript* has been protecting its users since day 0, keeping its promise of preventing exploitation of security vulnerabilities (known and even not known yet!).

Update 2010-03-23

In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven't seen the "Available update" message yet, just use Help|Check for updates now.

Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default.

This entry was posted on Monday, March 22nd, 2010 at 7:04 pm and is filed under Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

@Faust:
No, it is not Java-related, but don't forget that "embedding" blocked by NoScript are not limited to Java :)

Anyway, having analyzed the bug in question before making it, I can confirm that my statement about NoScript protection is correct.

Edit 2010-03-23
Now that details are not embargoed anymore, I can tell you that exploitation required the browser to download a specially crafted web font. The relevant (default) NoScript setting against this is NoScript Options|Embeddings|Forbid @font-face.

@BC:
Exactly this kind of scenario.
Current font parsers are rather old, and have been implemented without the "fonts as a possible remote attack vector" mindset.
Now that any web page can feed them, fonts are much more dangerous than simple images (which still, from time to time, suffer from codec bugs) and at least as dangerous as generic plugin content.

[...] hackademix.net » Firefox 3.6's "0-Day" and You hackademix.net/2010/03/22/firefox-36s-0-day-and-you – view page – cached Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been... Read moreBürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1^st. View page Filter tweets [...]